Follow:

 

Trojan:Win32/Swisyn.K


Microsoft security software detects and removes this threat.
 
This threat can lower your PC security settings and allow a hacker to perform a number of actions.


What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior

Installation
Trojan:Win32/Swisyn.K creates the following files on your PC:
 
  • %programfiles%\common files\services\csboybind.au
  • %programfiles%\common files\services\csboydvd.dll
  • %programfiles%\common files\services\csboydvd.ocx
  • %programfiles%\common files\services\csboytj.ocx
  • %programfiles%\common files\services\csboytt.dll
  • %programfiles%\common files\tencent\services.exe
  • %programfiles%\common files\tencent\tuziboyauto.dll
  • %programfiles%\common files\tencent\tuziboyauto.ocx
  • %programfiles%\common files\tencent\tuziboydw.ocx
  • <current folder>\mybat.bat
  • c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe - detected as Trojan:Win32/Rimod
  • c:\documents and settings\all users\start menu\programs\startup\winlogon.exe
Payload
Modifies system security settings
 
Trojan:Win32/Swisyn.K adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall. It does this by making the following registry modification:

Adds value: "C:\Documents and Settings\Administrator\Local Settings\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe"
With data: "c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe:*:enabled:qvod"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

 
Contacts remote host
 
The malware might contact a remote host at agent.qvod.com using port 80. Commonly, malware contacts a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 1ff614bdf337719543ba92dffa6631ea457125c8.

Symptoms

System changes
The following system changes may indicate the presence of this malware:

  • The presence of the following files:

%programfiles%\common files\services\csboybind.au
%programfiles%\common files\services\csboydvd.dll
%programfiles%\common files\services\csboydvd.ocx
%programfiles%\common files\services\csboytj.ocx
%programfiles%\common files\services\csboytt.dll
%programfiles%\common files\tencent\services.exe
%programfiles%\common files\tencent\tuziboyauto.dll
%programfiles%\common files\tencent\tuziboyauto.ocx
%programfiles%\common files\tencent\tuziboydw.ocx
<current folder>\mybat.bat
c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe
c:\documents and settings\all users\start menu\programs\startup\winlogon.exe
 
  • The presence of the following registry modifications:
Adds value: "C:\Documents and Settings\Administrator\Local Settings\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe"
With data: "c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe:*:enabled:qvod"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 

Prevention


Alert level: Severe
First detected by definition: 1.129.87.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Jun 19, 2012
This entry was first published on: Jun 22, 2012
This entry was updated on: Oct 07, 2013

This threat is also detected as:
  • Backdoor.Graybird (Symantec)